- Windows Security Log
The Security Log, in
Microsoft Windows, is a log that contains records of login/logout activity and/or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer. Local Security Authority Subsystem Servicewrites events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". [ [http://www.microsoft.com/technet/archive/winntas/maintain/security/ntsecuri.mspx?mfr=true The NT Security Log - Your Best and Last Defense] , R. Franklin Smith] The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity. [ [http://www.windowsitpro.com/Windows/Article/ArticleID/8785/8785.html Protecting the NT Security Log] , Randy Franklin Smith, Windows IT Pro, July 2000.]
Types of data logged
If the audit policy is set to record logins, a successful login results in the user's user name and computer name being logged as well as the user name they are logging into. [ [http://technet.microsoft.com/en-us/library/Bb742436.aspx Tracking Logon and Logoff Activity in Windows 2000] , Microsoft.] Depending on the version of Windows and the method of login, the
IP addressmay or may not be recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. [ [http://www.windowsitpro.com/Windows/Article/ArticleID/40022/40022.html Capturing IP Addresses for Web Server Logon Events] , Randy Franklin Smith, "Windows IT Pro", October 2003.] The categories of events that can be logged are: [http://technet2.microsoft.com/windowsserver/en/library/962f5863-15df-4271-9ae0-4b0412e297491033.mspx?mfr=true Auditing Policy] , Microsoft.]
*Account logon events
*Directory service access
The sheer number of loggable events means that security log analysis can be a time-consuming task. [ [http://www.infosecwriters.com/text_resources/pdf/top5-log-analysis-mistakes.pdf “Five Mistakes of Security Log Analysis”] , Anton Chuvakin, Ph.D., GCIA, GCIH.] Third-party utilities have been developed to help identify suspicious trends. It is also possible to filter the log using customized criteria.
Attacks and countermeasures
Administrators are allowed to view and clear the log (there is no way to separate the rights to view and clear the log). [ [http://www.windowsitpro.com/WindowsSecurity/Article/ArticleID/42811/42811.html Access Denied: Letting Users View Security Logs] , Randy Franklin Smith, July 2004 -- intermittently broken link as of 2007-9-27.] In addition, an Administrator can use
Winzapperto delete specific events from the log. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. [http://www.ntsecurity.nu/toolbox/winzapper/ Winzapper FAQ] , NTSecurity.] A defense against this is to set up a remote log serverwith all services shut off, allowing only console access. [ [http://honeynet.org/papers/enemy2/index.html Know Your Enemy: II] , Honeynet Project.]
As the log approaches its maximum size, it can either overwrite old events or stop logging new events. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full". [http://nsi.arcert.gov.ar/webs/textos/ntaudit.pdf Auditing Windows NT] , Chris Benton.]
Randy Franklin Smith's "Ultimate Windows Security" points out that given the ability of administrators to manipulate the Security Log to cover unauthorized activity, separation of duty between operations and security-monitoring IT staff, combined with frequent backups of the log to a server accessible only to the latter, can improve security. [ [http://www.ultimatewindowssecurity.com/ebookChapter2.html Ultimate Windows Security] , Randy Franklin Smith.]
Another way to defeat the Security Log would be for a user to login as Administrator and change the auditing policies to stop logging the unauthorized activity he intends to carry out. The policy change itself could be logged, depending on the "audit policy change" setting, but this event could be deleted from the log using Winzapper; and from that point onward, the activity would not generate a trail in the Security Log.
Microsoft notes, "It is possible to detect attempts to elude a security monitoring solution with such techniques, but it is challenging to do so because many of the same events that can occur during an attempt to cover the tracks of intrusive activity are events that occur regularly on any typical business network". [ [http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/attackdetection.mspx Security Monitoring and Attack Detection] , Microsoft, Aug. 29, 2006.]
As Benton points out, one way of preventing successful attacks is
security through obscurity. Keeping the IT department's security systems and practices confidential helps prevent users from formulating ways to cover their tracks. If users are aware that the log is copied over to the remote log server at :00 of every hour, for instance, they may take measures to defeat that system by attacking at :10 and then deleting the relevant log events before the top of the next hour.
Of course, log manipulation is not needed for all attacks. Simply being aware of how the Security Log works can be enough to take precautions against detection. For instance, a user wanting to log into a fellow employee's account on a corporate network might wait until after hours to gain unobserved
physical accessto the computer in their cubicle; surreptitiously use a hardware keyloggerto obtain their password; and later login to that user's account through Terminal Servicesfrom a Wi-Fi hotspot whose IP address cannot be traced back to the intruder.
After the log is cleared through Event Viewer, one log entry is immediately created in the freshly-cleared log noting the time it was cleared and the admin who cleared it. This information can be a starting point in the investigation of the suspicious activity.
In addition to the Windows Security Log, admins can check the
Internet Connection Firewallsecurity log for clues.
Writing false events to the log
It is theoretically possible to write false events to the log. Microsoft notes, "To be able to write to the Security log, SeAuditPrivilege is required. By default, only Local System and Network Service accounts have such privilege". [ [http://msdn2.microsoft.com/en-us/library/ms731669.aspx Auditing Security Events] , Microsoft.] "Microsoft Windows Internals" states, "Processes that call audit system services . . . must have the SeAuditPrivilege privilege to successfully generate an audit record". [ [http://book.itzero.com/read/microsoft/0507/microsoft.press.microsoft.windows.internals.fourth.edition.dec.2004.internal.fixed.ebook-ddu_html/0735619174/ch08lev1sec4.html Microsoft Windows Internals] , Microsoft.] The Winzapper FAQ notes that it is "possible to add your own 'made up' event records to the log" but this feature was not added because it was considered "too nasty," a reference to the fact that someone with Administrator access could use such functionality to shift the blame for unauthorized activity to an innocent party. Server 2003 added some API calls so that applications could register with the security event logs and write security audit entries. Specifically, the AuthzInstallSecurityEventSource function installs the specified source as a security event source. [ [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authzinstallsecurityeventsource.asp AuthzInstallSecurityEventSource Function] , Microsoft.]
Admissibility in court
The EventTracker newsletter states that "The possibility of tampering is not enough to cause the logs to be inadmissible, there must be specific evidence of tampering in order for the logs to be considered inadmissible" [ [http://www.eventlogmanager.com/subpass/newsletter/april06.htm EventTracker Newsletter] , April 2006, Will your log files stand up in court? Authentication vs. logon events?] .
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
* [http://www.microsoft.com/downloads/details.aspx?FamilyID=82e6d48f-e843-40ed-8b10-b3b716f6b51b Description of security events in Windows Vista and in Windows Server 2008 (XLS)]
Log management and intelligence
Common Log Format
Wikimedia Foundation. 2010.
Look at other dictionaries:
Security log — A security log is used to track security related information on a computer system. Examples include: * Windows Security Log * Internet Connection Firewall security logAccording to Stefan Axelsson, Most UNIX installations do not run any form of… … Wikipedia
security log — In Microsoft Windows 2000, a system log that records changes to security settings and audited access such as attempts to open files or folders. You can use the Event Viewer to look at the contents of the security log. See also application… … Dictionary of networking
Windows Firewall — is a personal firewall, included with Microsoft s Windows XP and newer operating systems. Overview When Windows XP was originally shipped in October 2001, it included a limited firewall called Internet Connection Firewall . It was disabled by… … Wikipedia
Windows XP — Windows Experience redirects here. For Windows Experience Index, see Windows System Assessment Tool. Windows XP Part of the Microsoft Windows family … Wikipedia
Windows Defender — A component of Microsoft Windows Windows Defender in Windows 7 … Wikipedia
Windows Task Manager — is a task manager application included with Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information,… … Wikipedia
Windows Task Scheduler — Task Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System… … Wikipedia
Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… … Wikipedia
Windows 2000 — Part of the Microsoft Windows family Screenshot of Windows 2000 Professional … Wikipedia
Windows NT 4.0 — Part of the Microsoft Windows family … Wikipedia